Modify

Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#13870 closed defect (worksforme)

New version firewall BUG with open port for router

Reported by: piotr.kuchciak@… Owned by: developers
Priority: highest Milestone: Barrier Breaker 14.07
Component: base system Version: Attitude Adjustment 12.09
Keywords: new firewall Cc:

Description

The new version of the firewall is the problem with the opening of the port on the router's IP address. The new firewall is implemented in the new version of Gargoyle witch based on Attitude Adjustment r37267. The Gargoyle version of GUi when doing any such port forwarding 9981 to the IP address 192.168.23.1 router is created in the / etc / config / firewall rule type:

config redirect 'redirect_enabled_number_3'
option name 'TV'
option src 'wan'
dest option 'plan'
option proto 'tcp'
src_dport option '9981 '
dest_ip option '192 .168.23.1 '
dest_port option '9981 '

config redirect 'redirect_enabled_number_4'
option name 'TV'
option src 'wan'
dest option 'plan'
option proto 'udp'
src_dport option '9981 '
dest_ip option '192 .168.23.1 '
dest_port option '9981 '

However, the port is not open. It is not accessible from outside the network (from the Internet). In the old version of the firewall everything worked OK. Execute the same operation without problems opened port.

Now you need to dować hand rule of the console, and it is a rule in the file / etc / config / firewall type:

config rule
option name 'test_tv'
option src 'wan'
option target 'ACCEPT'
option proto 'tcp'
dest_port option '9981 '

But it is annoying because you can not see the GUI governing and it should be done from the console. Is there a chance to fix the error in future versions? I'll be grateful for addressing this problem.

Attachments (0)

Change History (8)

comment:1 Changed 5 years ago by anonymous

sorry for the mistake

"Now you need to add hand rule"

comment:2 Changed 5 years ago by jow

  • Resolution set to worksforme
  • Status changed from new to closed

This report makes no sense at all. Each redirect automatically creates a corresponding forward accept rule, the second rule you added by hand is an input rule. Additionally port redirects work just fine here.

I suspect your problem lies somewhere else and is not related to the firewall configuration.
Also gargoyle is an openwrt fork with various nonstandard additions, so report your problem there.

comment:3 Changed 5 years ago by anonymous

  • Resolution worksforme deleted
  • Status changed from closed to reopened

It is not gargoyle problem.
Rule:

config redirect
	option name 'ssh'
	option src 'wan'
	option proto 'tcpudp'
	option src_dport '5555'
	option dest_ip '192.168.1.1'
	option dest_port '22'
	option target 'DNAT'
	option dest 'lan'

On

DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="12.09"
DISTRIB_REVISION="r36088"
DISTRIB_CODENAME="attitude_adjustment"
DISTRIB_TARGET="ar71xx/generic"
DISTRIB_DESCRIPTION="OpenWrt Attitude Adjustment 12.09"

I can connect to wan:5555 but not on

root@OpenWrt:/# cat /etc/openwrt_release 
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="Attitude Adjustment"
DISTRIB_REVISION="r37266"
DISTRIB_CODENAME="attitude_adjustment"
DISTRIB_TARGET="ar71xx/generic"
DISTRIB_DESCRIPTION="OpenWrt Attitude Adjustment 12.09.1"

with these same rule

comment:4 Changed 5 years ago by jow

Attach the output of iptables -nvL and iptables -t nat -nvL

comment:5 Changed 5 years ago by anonymous

Version 36088 - ok

root@OpenWrt:~# iptables -v -L -t nat | grep 5555
    0     0 DNAT       tcp  --  any    any     192.168.1.0/24       10.1.1.163          tcp dpt:5555 /* wan */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     192.168.1.0/24       10.1.1.163          udp dpt:5555 /* wan */ to:192.168.1.1:22 
    1    60 DNAT       tcp  --  any    any     anywhere             anywhere            tcp dpt:5555 to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:5555 to:192.168.1.1:22 
root@OpenWrt:~# iptables -v -L -t nat | grep 22
    0     0 DNAT       tcp  --  any    any     192.168.1.0/24       10.1.1.163          tcp dpt:5555 /* wan */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     192.168.1.0/24       10.1.1.163          udp dpt:5555 /* wan */ to:192.168.1.1:22 
    1    60 DNAT       tcp  --  any    any     anywhere             anywhere            tcp dpt:5555 to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:5555 to:192.168.1.1:22 
root@OpenWrt:~# iptables -v -L -t nat | grep ssh
    0     0 SNAT       tcp  --  any    any     192.168.1.0/24       OpenWrt.lan         tcp dpt:ssh /* wan */ to:192.168.1.1 
    0     0 SNAT       udp  --  any    any     192.168.1.0/24       OpenWrt.lan         udp dpt:ssh /* wan */ to:192.168.1.1 
root@OpenWrt:~# iptables -v -L | grep 5555
root@OpenWrt:~# iptables -v -L | grep 22
root@OpenWrt:~# iptables -v -L | grep ssh
    0     0 ACCEPT     tcp  --  any    any     192.168.1.0/24       OpenWrt.lan         tcp dpt:ssh /* wan */ 
    0     0 ACCEPT     udp  --  any    any     192.168.1.0/24       OpenWrt.lan         udp dpt:ssh /* wan */ 
    1    60 ACCEPT     tcp  --  any    any     anywhere             OpenWrt.lan         tcp dpt:ssh ctstate DNAT 
    0     0 ACCEPT     udp  --  any    any     anywhere             OpenWrt.lan         udp dpt:ssh ctstate DNAT 



root@OpenWrt:~# iptables -nvL 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1002 59306 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
  188 13288 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    2   120 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
    5   240 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    5   240 input      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  690 55371 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
  188 13288 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   46  3432 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   46  3432 output     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 nat_reflection_fwd  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   180 zone_lan   all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    1    60 zone_wan   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain nat_reflection_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.1         tcp dpt:22 /* wan */ 
    0     0 ACCEPT     udp  --  *      *       192.168.1.0/24       192.168.1.1         udp dpt:22 /* wan */ 

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   46  3432 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   46  3432 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 25/sec burst 50 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

root@OpenWrt:~# iptables -nvL 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1106 64737 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
  188 13288 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    2   120 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
    5   240 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    5   240 input      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  787 68801 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
  188 13288 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   46  3432 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   46  3432 output     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 nat_reflection_fwd  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   180 zone_lan   all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    1    60 zone_wan   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain nat_reflection_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.1         tcp dpt:22 /* wan */ 
    0     0 ACCEPT     udp  --  *      *       192.168.1.0/24       192.168.1.1         udp dpt:22 /* wan */ 

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   46  3432 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   46  3432 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 25/sec burst 50 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   180 input_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   180 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
    4   180 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_lan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:68 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1         tcp dpt:22 ctstate DNAT 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.1         udp dpt:22 ctstate DNAT 
    0     0 input_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   34  2584 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
root@OpenWrt:~# iptables -t nat -nvL 
Chain PREROUTING (policy ACCEPT 3 packets, 148 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   864 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    3   148 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    1    60 zone_wan_prerouting  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 4 packets, 208 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 189 packets, 13620 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 156 packets, 11112 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  234 16720 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_lan_nat  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
   34  2584 zone_wan_nat  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain nat_reflection_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       192.168.1.0/24       10.1.1.163          tcp dpt:5555 /* wan */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  *      *       192.168.1.0/24       10.1.1.163          udp dpt:5555 /* wan */ to:192.168.1.1:22 

Chain nat_reflection_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.1         tcp dpt:22 /* wan */ to:192.168.1.1 
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.1         udp dpt:22 /* wan */ to:192.168.1.1 

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  189 13620 nat_reflection_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain prerouting_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   208 nat_reflection_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain prerouting_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   148 prerouting_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   34  2584 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5555 to:192.168.1.1:22 
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:5555 to:192.168.1.1:22 
    0     0 prerouting_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0  

Version 37266 - not ok:

root@OpenWrt:/# iptables -v -L -t nat | grep 5555
    0     0 DNAT       tcp  --  any    any     192.168.1.0/24       10.1.1.163          tcp dpt:5555 /* ssh (reflection) */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     192.168.1.0/24       10.1.1.163          udp dpt:5555 /* ssh (reflection) */ to:192.168.1.1:22 
    1    60 DNAT       tcp  --  any    any     anywhere             anywhere            tcp dpt:5555 /* ssh */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:5555 /* ssh */ to:192.168.1.1:22 
root@OpenWrt:/# iptables -v -L -t nat | grep 22
    0     0 DNAT       tcp  --  any    any     192.168.1.0/24       10.1.1.163          tcp dpt:5555 /* ssh (reflection) */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     192.168.1.0/24       10.1.1.163          udp dpt:5555 /* ssh (reflection) */ to:192.168.1.1:22 
    1    60 DNAT       tcp  --  any    any     anywhere             anywhere            tcp dpt:5555 /* ssh */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:5555 /* ssh */ to:192.168.1.1:22 
root@OpenWrt:/# iptables -v -L -t nat | grep ssh
    0     0 SNAT       tcp  --  any    any     192.168.1.0/24       OpenWrt.lan         tcp dpt:ssh /* ssh (reflection) */ to:192.168.1.1 
    0     0 SNAT       udp  --  any    any     192.168.1.0/24       OpenWrt.lan         udp dpt:ssh /* ssh (reflection) */ to:192.168.1.1 
    0     0 DNAT       tcp  --  any    any     192.168.1.0/24       10.1.1.163          tcp dpt:5555 /* ssh (reflection) */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     192.168.1.0/24       10.1.1.163          udp dpt:5555 /* ssh (reflection) */ to:192.168.1.1:22 
    1    60 DNAT       tcp  --  any    any     anywhere             anywhere            tcp dpt:5555 /* ssh */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:5555 /* ssh */ to:192.168.1.1:22 
root@OpenWrt:/# iptables -v -L | grep 5555
root@OpenWrt:/# iptables -v -L | grep 22
root@OpenWrt:/# iptables -v -L | grep ssh
    0     0 zone_lan_dest_ACCEPT  tcp  --  any    any     192.168.1.0/24       OpenWrt.lan         tcp dpt:ssh /* ssh (reflection) */ 
    0     0 zone_lan_dest_ACCEPT  udp  --  any    any     192.168.1.0/24       OpenWrt.lan         udp dpt:ssh /* ssh (reflection) */ 
    0     0 ACCEPT     tcp  --  any    any     anywhere             OpenWrt.lan         tcp dpt:ssh /* ssh */ 
    0     0 ACCEPT     udp  --  any    any     anywhere             OpenWrt.lan         udp dpt:ssh /* ssh */ 

root@OpenWrt:/# iptables -nvL 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  359 23644 delegate_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 delegate_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  297 26626 delegate_output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for forwarding */ 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  148 11186 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  211 12458 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for input */ 
  208 12284 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    2   120 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
    2   114 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    1    60 zone_wan_input  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  148 11186 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
  149 15440 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for output */ 
  108 12452 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
   41  2988 zone_wan_output  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 25/sec burst 50 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for forwarding */ 
    0     0 zone_lan_dest_ACCEPT  tcp  --  *      *       192.168.1.0/24       192.168.1.1         tcp dpt:22 /* ssh (reflection) */ 
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       192.168.1.0/24       192.168.1.1         udp dpt:22 /* ssh (reflection) */ 
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* forwarding lan -> wan */ 
    0     0 zone_lan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   114 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for input */ 
    2   114 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for output */ 
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   114 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   41  2988 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for forwarding */ 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1         tcp dpt:22 /* ssh */ 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.1         udp dpt:22 /* ssh */ 
    0     0 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for input */ 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:68 /* Allow-DHCP-Renew */ 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 /* Allow-Ping */ 
    1    60 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   41  2988 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for output */ 
   41  2988 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_src_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 reject     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
root@OpenWrt:/# iptables -t nat -nvL 
Chain PREROUTING (policy ACCEPT 4 packets, 194 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   254 delegate_prerouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 2 packets, 114 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 115 packets, 8172 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 74 packets, 5184 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  116  8212 delegate_postrouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  116  8212 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for postrouting */ 
    0     0 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
   42  3028 zone_wan_postrouting  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain delegate_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   254 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for prerouting */ 
    4   194 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    1    60 zone_wan_prerouting  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for postrouting */ 
    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.1         tcp dpt:22 /* ssh (reflection) */ to:192.168.1.1 
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.1         udp dpt:22 /* ssh (reflection) */ to:192.168.1.1 

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   194 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for prerouting */ 
    0     0 DNAT       tcp  --  *      *       192.168.1.0/24       10.1.1.163          tcp dpt:5555 /* ssh (reflection) */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  *      *       192.168.1.0/24       10.1.1.163          udp dpt:5555 /* ssh (reflection) */ to:192.168.1.1:22 

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   42  3028 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for postrouting */ 
   42  3028 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for prerouting */ 
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5555 /* ssh */ to:192.168.1.1:22 
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:5555 /* ssh */ to:192.168.1.1:22 

comment:6 Changed 5 years ago by jow

  • Resolution set to worksforme
  • Status changed from reopened to closed

The emitted rules are identical, whatever your problem is, it is not related to the firewall.

comment:7 Changed 5 years ago by jow

I think I finally understand your problem, you misused port forwards with the destination set to the router itself to open ports on wan? That is undefined behaviour and only worked by accident. You can achieve the same effect by leaving the destination IP empty instead of setting it to the router ip.

comment:8 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.